Add security policy for project and organizations (#2110)

Fixes OPS-3890.

Author: MarceloRGonc

packages/server/api/src/app/organization/organization.controller.ts

@@ -6,11 +6,14 @@ import {
   assertEqual,
   OpenOpsId,
   Organization,
+  Permission,
   PrincipalType,
   SERVICE_KEY_SECURITY_OPENAPI,
   UpdateOrganizationRequestBody,
 } from '@openops/shared';
 import { StatusCodes } from 'http-status-codes';
+import { organizationIdResolver } from '../core/security/route-policies/property-source-factory';
+import { getOrganizationScopedRoutePolicy } from '../core/security/route-policies/route-security-policy-factory';
 import { organizationService } from './organization.service';
 
 export const organizationController: FastifyPluginAsyncTypebox = async (
@@ -37,6 +40,14 @@ export const organizationController: FastifyPluginAsyncTypebox = async (
 };
 
 const UpdateOrganizationRequest = {
+  config: {
+    allowedPrincipals: [PrincipalType.USER],
+    security: getOrganizationScopedRoutePolicy({
+      allowedPrincipals: [PrincipalType.USER],
+      permission: Permission.WRITE_ORGANIZATION,
+      organizationIdSource: organizationIdResolver.fromParams('id'),
+    }),
+  },
   schema: {
     body: UpdateOrganizationRequestBody,
     params: Type.Object({
@@ -53,6 +64,10 @@ const UpdateOrganizationRequest = {
 const GetOrganizationRequest = {
   config: {
     allowedPrincipals: [PrincipalType.USER, PrincipalType.SERVICE],
+    security: getOrganizationScopedRoutePolicy({
+      allowedPrincipals: [PrincipalType.USER, PrincipalType.SERVICE],
+      organizationIdSource: organizationIdResolver.fromParams('id'),
+    }),
   },
   schema: {
     tags: ['organizations'],

packages/server/api/src/app/project/project-controller.ts

@@ -2,7 +2,13 @@ import {
   FastifyPluginCallbackTypebox,
   Type,
 } from '@fastify/type-provider-typebox';
-import { ApplicationError, Project, SeekPage } from '@openops/shared';
+import {
+  ApplicationError,
+  PrincipalType,
+  Project,
+  SeekPage,
+} from '@openops/shared';
+import { getProjectScopedRoutePolicy } from '../core/security/route-policies/route-security-policy-factory';
 import { paginationHelper } from '../helper/pagination/pagination-utils';
 import { projectService } from './project-service';
 
@@ -53,6 +59,11 @@ export const userProjectController: FastifyPluginCallbackTypebox = (
 const ProjectWithoutToken = Type.Omit(Project, ['tablesDatabaseToken']);
 
 const GetUserProjectRequestOptions = {
+  config: {
+    security: getProjectScopedRoutePolicy({
+      allowedPrincipals: [PrincipalType.USER],
+    }),
+  },
   schema: {
     response: {
       200: ProjectWithoutToken,
@@ -61,6 +72,11 @@ const GetUserProjectRequestOptions = {
 };
 
 const ListUserProjectsRequestOptions = {
+  config: {
+    security: getProjectScopedRoutePolicy({
+      allowedPrincipals: [PrincipalType.USER],
+    }),
+  },
   schema: {
     response: {
       200: SeekPage(ProjectWithoutToken),

packages/shared/src/lib/common/security/permission.ts

@@ -34,4 +34,7 @@ export enum Permission {
 
   // Analytics
   WRITE_ANALYTICS = 'analytics:write',
+
+  // Organization
+  WRITE_ORGANIZATION = 'organization:write',
 }